//------------------------------------------------------------------- //-------------------------------------------------------------------
OpenSearch Filebeat Linux Logs Monitoring

Monitoring Linux Logs with OpenSearch and Filebeat

Linux servers create important logs like SSH login logs, sudo logs, service errors, and kernel messages, but reading them on each server is slow and messy. This tutorial intends to show you OpenSearch Filebeat Linux Logs Monitoring.

OpenSearch is a search and analytics engine that can store these logs and let you search and filter them fast.

Filebeat is a lightweight log shipper that reads log files and sends events to a backend, and the system module is designed for common Linux logs like syslog and authorization logs.

Important Note: OpenSearch documents that Beats newer than 7.12.x are not supported, and it lists Filebeat OSS 7.12.1 as a compatible option, so this tutorial uses Filebeat OSS 7.12.x.

By the end of this article from PerLod Hosting, you will have:

  • An OpenSearch node or cluster that is ready for log data.
  • Filebeat OSS is installed on one or more Linux servers.
  • Linux syslog and auth logs are shipped into OpenSearch indexes.
  • OpenSearch Dashboards are ready for searching and simple monitoring views.

Requirements To Monitor Linux Logs with OpenSearch and Filebeat

Before you start, you must be sure to have:

  • Ubuntu or Debian servers. These steps also work on many other Linux distros with small changes.
  • OpenSearch is running with a single node or multi-node, and is reachable from your log servers.
  • OpenSearch Dashboards are installed for viewing logs.
  • Network access from log servers to OpenSearch HTTP port, which is usually 9200.

It is recommended not to leave OpenSearch open to the public internet and use TLS and user accounts, even on private networks, because logs can include sensitive data.

You can check the following articles for installing and bringing up the OpenSearch cluster and setting up TLS, firewall rules, and access control basics:

OpenSearch Cluster Setup Guide

Secure OpenSearch Cluster

Step 1. Prepare OpenSearch to monitor Linux Logs with Filebeat

We assume you have installed and configured OpenSearch. You must run a few quick checks before monitoring Linux logs.

From an OpenSearch node, you can run the commands below to check cluster health:

PASS='YourStrongPassword'
curl -k -u admin:"$PASS" https://127.0.0.1:9200/
curl -k -u admin:"$PASS" https://127.0.0.1:9200/_cluster/health?pretty

This confirms OpenSearch is alive before you connect Filebeat.

You can also keep OpenSearch closed to random IPs. A simple firewall allowlist is a good start, where only your private subnet can reach 9200/9300, and everything else is blocked.

For example, you can run the commands below with your real subnet:

sudo ufw allow from 10.0.0.0/24 to any port 9200
sudo ufw allow from 10.0.0.0/24 to any port 9300
sudo ufw deny 9200
sudo ufw deny 9300

To enable OpenSearch compatibility mode, you can use the OpenSearch setting to return version 7.10.2 in the main response for compatibility.

You can set it by API:

curl -k -u admin:"$PASS" -X PUT "https://OPENSEARCH-IP:9200/_cluster/settings" \
  -H 'Content-Type: application/json' \
  -d '{
    "persistent": {
      "compatibility": {
        "override_main_response_version": true
      }
    }
  }'

Or, you can set it on each node in the opensearch.yml file:

compatibility.override_main_response_version: true

Then, restart the service.

As we said, OpenSearch documents that Beats OSS, like Filebeat, are compatible only up to 7.12.x, and it lists Filebeat OSS 7.12.1 as a compatible option.

You can install Filebeat OSS 7.12.x on each Linux server you want to monitor with the commands below.

Update packages and install required tools with the commands below:

sudo apt update -y
sudo apt install curl ca-certificates -y

Download the Filebeat OSS 7.12.1 package:

cd /tmp
curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-oss-7.12.1-amd64.deb

Install the Filebeat OSS package with the following command:

sudo dpkg -i filebeat-oss-7.12.1-amd64.deb

If you see dependency errors, fix them with the command below:

sudo apt -f install -y

After your installation is completed, check the version and confirm the systemd service exists:

filebeat version
sudo systemctl status filebeat --no-pager

Step 3. Enable Linux Log Collection in Filebeat

Filebeat modules are pre-made configs for common log types, and the system module is the easiest way to collect Linux system logs.

To enable the system module, you can run the command below:

sudo filebeat modules enable system

This command turns on the system module config file under modules.d.

To configure syslog and auth logs, open the following file:

sudo nano /etc/filebeat/modules.d/system.yml

Add the following config to the file with your filenames and set var.paths to match your server:

- module: system
  syslog:
    enabled: true
    #var.paths: ["/var/log/syslog*"]
  auth:
    enabled: true
    #var.paths: ["/var/log/auth.log*"]

Filebeat uses the Elasticsearch output section for sending events to an Elasticsearch-compatible endpoint, and OpenSearch documents this Beats path as part of its ingestion tool story with version limits.

To configure Filebeat output to OpenSearch, edit the Filebeat YAML file:

sudo nano /etc/filebeat/filebeat.yml

You have two options:

Option A. HTTPS with username and password: This is a test config, and it connects to secured HTTPS endpoints in Beats output settings. For production, avoid ssl.verification_mode: none and trust your CA instead.

output.elasticsearch:
  hosts: ["https://OPENSEARCH-IP:9200"]
  username: "filebeat_writer"
  password: "STRONG_PASSWORD"
  ssl.verification_mode: none

Option B (Recommended). HTTPS with CA file: You can copy your CA certificate to the log server, for example, /etc/filebeat/certs/ca.pem.

Then, configure:

output.elasticsearch:
  hosts: ["https://OPENSEARCH-IP:9200"]
  username: "filebeat_writer"
  password: "STRONG_PASSWORD"
  ssl.certificate_authorities:
    - /etc/filebeat/certs/ca.pem

The Beats documentation explains using ssl.certificate_authorities to trust a CA for TLS connections.

Note: It is recommended not use the OpenSearch admin user for shipping logs, because it is too powerful for daily ingestion. Instead, create a writer user with only the permissions it needs.

A writer user is a dedicated OpenSearch user for Filebeat that has only write access to your log indexes instead of full admin access. You can create a role in OpenSearch RBAC with limited index permissions, then you map the Filebeat user to that role so every request uses only those permissions.

Step 5. Start Filebeat and Confirm Logs Are Sending

At this point, you can start Filebeat and make sure it is really sending Linux logs to OpenSearch.

Enable and restart the Filebeat service with the commands below:

sudo systemctl enable --now filebeat
sudo systemctl restart filebeat

Create a simple test log line with logger to generate a fresh syslog event:

logger "opensearch filebeat linux logs test"

Finally, check the Filebeat service logs with journalctl to confirm there are no connection errors and that events are being published:

sudo journalctl -u filebeat -n 200 --no-pager

Step 6. View Linux Logs in OpenSearch Dashboards

Now you can confirm that your OpenSearch filebeat Linux logs data is searchable in the OpenSearch web UI. OpenSearch Dashboards lets you search logs, use Discover, and build simple visual charts and dashboards from the data Filebeat sends.

You can access Dashboards usually on port 5601:

http://DASHBOARDS-IP:5601

In Dashboards, create an index pattern such as filebeat-*.

Then open Discover and search for your test message:

opensearch filebeat linux logs test

If you do not see data:

  • Confirm the OpenSearch output host, user, password, and TLS settings in filebeat.yml.
  • Confirm the system module is enabled and auth and syslog are enabled in modules.d/system.yml.

Once you view logs, you can use the following simple searches:

  • SSH failures: Search for sshd and Failed password.
  • sudo usage: Search for sudo and the session opened.
  • Service errors: Search for errors and filter by hostname.

These help you quickly see what is happening across servers using auth and syslog data.

Troubleshooting OpenSearch Filebeat Linux Logs

Even with a correct setup, small issues can stop logs from showing up in OpenSearch Dashboards, like a wrong output address, TLS problems, or a disabled Filebeat module.

Here are some common errors and fixes:

Error 1: Filebeat does not connect to OpenSearch.

If you see version or compatibility errors, remember OpenSearch clearly says Beats newer than 7.12.x are not supported, and recommends Logstash as a workaround if you must use newer Beats.

Try to use Filebeat OSS 7.12.x as described in this tutorial or send Beats to Logstash, then use the OpenSearch output plugin for Logstash.

Error 2: No auth logs in the index.

The system module must have auth.enabled: true, and paths may need to be set if your log file location is not the default for your OS.

auth:
  enabled: true
  var.paths: ["/var/log/auth.log*"]

Error 3. TLS problems.

If you used a real CA, configure ssl.certificate_authorities so Filebeat trusts it, because this is the documented method for secured clusters.

If you are testing quickly, ssl.verification_mode: none can bypass verification, but it is not a safe production choice.

FAQs

Can Filebeat send logs directly to OpenSearch?

Yes, but OpenSearch documents that direct Beats support is limited to Beats OSS up to 7.12.x, so staying in that range is the safe route.

How do I make Filebeat read the correct syslog and auth files?

Use the Filebeat system module and set var.paths if your distro uses different log file paths.

Do I need to load dashboards from Filebeat?

It is not required, because you can create an index pattern and visualizations manually in OpenSearch Dashboards.

Conclusion

At this point, you have a working setup to monitor Linux logs with OpenSearch and Filebeat. OpenSearch stores and searches the data, and Filebeat ships syslog and auth logs from each server into one place.

Just remember to keep it safe by using TLS, a limited writer user, and firewall allowlists, then build dashboards and alerts for events like failed SSH logins, sudo activity, and service errors.

Tip: For a stable logging server, you can deploy OpenSearch on a flexible VPS server with enough CPU, RAM, and SSD, then ship all Linux logs to that VPS with Filebeat so you can search and monitor everything in one place.

We hope you enjoy the OpenSearch Filebeat Linux Logs guide. Subscribe to our X and Facebook channels to get the latest updates and articles.

For further reading:

Security Monitoring with Wazuh SIEM

How To Detect Disk I/O Bottlenecks in Linux

Post Your Comment

Perlod Logo White

PerLod delivers high-performance hosting with real-time support and unmatched reliability.

Facebook-f Twitter

Navigation

Useful Links

Contact us

  • Dubai, UAE
  • info[at]perlod.com

Payment methods

payment gateway
Perlod Logo
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.